Backup rule "3-2-1". Part 2

In the first part of this article, we talked about the “3-2-1” backup rule. Now we invite you to look at the second part of the article containing a recording of our one and a half hour webinar prepared in the format of a whiteboarding session (that is, no PowerPoint slides — only our expert and a presentation board will be), where he shows step by step what problems companies have in the field of backup copying, and as a rule, “3-2-1” can be implemented in practice using the example of the Veeam Backup & Replication product. In addition to recording a webinar, the article provides answers to the most pressing questions asked by participants during its online broadcast.

Questions after the webinar "Whiteboard Russia: Let's start with a clean slate!":

• What is the best way to organize a consistent backup of distributed applications consisting of several servers?

Just like regular servers. The main thing to warn the application that will be backed up. Moreover, we must understand that consistency is primarily necessary for transactional applications and file systems.

• “Principle 3-2-1 is very expensive.”

It all depends on how much your data is worth and how critical it is to lose it. For example, how much can one assess the loss by a professional photographer of his personal photo archive or photo archive of his entire studio? Most likely, such an event would be a complete disaster for him. Therefore, it is probably not accidental that it was the photographer (Peter Korghe) who first introduced the concept of backup rules “3-2-1” in his book. In this case, the archive of last year's e-mail can be stored in two or even one backup. So it all depends on the compilation of the cost of data protection and the cost of damage from their loss.

• “Are tapes dying off?”

According to Gartner's “Organizations Leverage Hybrid Backup and Recovery” research, large backup companies use a combined approach for the use of disk storage and tape drives. This backup storage strategy allows you to reduce the RTO and RPO (i.e., increase the speed of the process and reduce the backup time) for the most up-to-date data and critical information, and at the same time, reduce the cost of owning a backup infrastructure for long-term information storage, which is required, for example, to fulfill legal requirements.

According to statistics, 80% of all recovery operations occur in data that have an “archiving” age, not exceeding 4 weeks. Thus, it is reasonable to place backups within the last 4 weeks on fast-accessible disk storage, although they are more expensive (based on the cost per unit of information storage) than tape.

Despite ongoing progress in reducing the unit cost of storing information on disk drives, tape drives remain the leaders in this indicator. They perfectly combine the reliability of storage, the mobility of data carriers (tapes) and the low unit cost of information storage. Thanks to this combination of indicators, tape drives are great for long-term (long-term) data storage. Tapes in this role can be supplanted so far only by a cloud optimized for backup storage, such as Amazon Glacier.

In conclusion, we can say that it is still the most easily portable storage method.

• Is data encryption supported?

Data that is transmitted over the Internet to the cloud is encrypted. But encrypting the backups themselves on a disk or tape is not supported.

• To work on the 17th order of the FSTEC, for certification of a system with the availability of restricted access information, the use of certified solutions is required, including for backup. In a recent RISSPA analytics on the choice of information security tools for virtualized infrastructures, Veeam solution is indicated, but regulators do not have certification data. Does the company plan to work in this direction (solution certification)?

Indeed, paragraph 20.11 of the Order states that “measures to protect the virtualization environment must exclude unauthorized access to ... the backup system and the copies it creates”. What are these “measures”? According to paragraph 26 of the Order “Technical Information Security Measures are implemented through the use of information protection facilities (GIS) having the necessary security functions.” Further in this paragraph of the Order lists specific types of GIS: GIS from unauthorized access, antivirus, IDE and ME. The list is closed. What SZI are needed in terms of certification? According to paragraph 11 of the Order “To ensure the protection of information contained in the information system, GIS are applied that have been evaluated in the form of mandatory certification”. Thus, as we see, certification requirements are established for specialized hardware (hardware or software products) that perform protection functions (antivirus, ME, DSS from unauthorized access, OWL). These requirements do not apply to system-wide software that processes restricted access information (which includes backup products). Of course, if the system-wide software contains built-in protection functions (such as, for example, an operating system) and is planned to be used for security measures during system attestation, then a certificate for such embedded GIS will be required, or otherwise they cannot be used as protection measures .

Thus, in our opinion (and this position coincides with the position of Maria Sidorova, vice-president of RISSPA), we can conclude: since Veeam Backup is system-wide software, and not GIS, it should not be used for certification as a technical GIS to ensure measures to protect information, and, as a consequence, the requirements for mandatory certification of GIS does not apply. Therefore, we do not yet have plans for Veeam Backup certification according to the requirements of FSTEC.

• What platform is Veeam installed on (Appliance, Windows, Linux)? How is the server of Veeam backed up and restored?

Veeam is always installed on the Windows platform. Whether it will be a physical or a virtual server is not important. If we talk about the backup of the Veeam server itself, then this server does not store vital information on backup copies, but only infrastructure settings. For example, the number and schedule of tasks, how many repositories you have, tape libraries and so on. These settings are stored in the SQL database and the settings file.

If SQL is stored on a separate VM (and this is our usual recommendation), then you can back it up using Veeam. The settings file is automatically saved in default repository Veeam, but you can specify a different location. At the same time, Veeam backups are completely self-contained. All recovery information (how many recovery points, deduplication and compression information, etc.) is stored in the backup itself. You can restore the backup even if there is no Veeam server.

• How to restore the infrastructure if the failure also affected the backup infrastructure (Veeam servers)?

First of all, see the description of question number 6. Now order.

Option 1 (the most correct if you made a backup Veeam)

1. We recover VM with SQL in which the Veeam base was stored. You can directly from the backup using our utility;
2. Install the new Veeam, specify the SQL database that we just restored;
3. Import the Veeam settings file;
4. All infrastructure is ready;

Option 2 (if you did not do backups)

1. Install the new Veeam server;
2. We make infrastructure settings (add vCenter, Veeam Repository, etc.);
3. We import old backups;

It is already possible to restore the VM, BUT all settings with schedules will have to be recreated.

• What is the recommended number of recovery points?

By default, we have 14 recovery points configured, but this is not a recommendation. There are no recommendations as a matter of fact, since this parameter depends on your policies and procedures within the company for data storage. How important is the information for you, how long is it necessary to store it, etc.

• How does Veeam relate to software access from scripts and the user's application to the backup infrastructure?

All Veeam functions available from the GUI are also available as PowerShell cmdlets and these functions are officially supported.

• Is it possible to create pre-backup scripts?

There are Pre-Freeze / Post-Thaw scripts inside the VM, and there are Post-Backup scripts outside the VM. You can run jobs with PowerShell and pre-execute the necessary actions.

• Is there DAG support in Microsoft Exchnage 2010/2013?

Yes there is.

useful links

• Veeam Backup & Replication
• RISSPA Association makes recommendations on the choice of information security tools for virtualized infrastructures.